You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@bookkeeper.apache.org by ni...@apache.org on 2022/04/05 10:02:32 UTC
[bookkeeper] branch branch-4.14 updated: [BRANCH-4.14] Replace Log4J with Reload4J
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-4.14
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/branch-4.14 by this push:
new 1945fe0eb [BRANCH-4.14] Replace Log4J with Reload4J
1945fe0eb is described below
commit 1945fe0ebf59225ebe78249f760e4d261ffabcfb
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Tue Apr 5 12:02:27 2022 +0200
[BRANCH-4.14] Replace Log4J with Reload4J
### Motivation
Log4J is dead and it has a lot of vulnerabilities. We already switched to Log4J2 on master branch.
The easiest way to replace it is to use [reload4j](https://reload4j.qos.ch/)
### Changes
* Update org.slf4j:log4j-over-slf4j to 1.7.36 which automatically replace the jar with reload4j replacement
From the official [website](https://www.slf4j.org/news.html)
• In this release, the "slf4j-log4j12" artifact automatically instructs Maven to use the "slf4j-reload4j" artifact instead. As you might have guessed, the "slf4j-reload4j" binding delegates log processing to the reload4j logging framework.
Reviewers: Enrico Olivelli <eo...@gmail.com>, Andrey Yegorov <None>
This closes #3167 from nicoloboschi/4.14-reload4j
---
.../src/main/resources/LICENSE-all.bin.txt | 15 +++++---------
.../src/main/resources/LICENSE-bkctl.bin.txt | 15 +++++---------
.../src/main/resources/LICENSE-server.bin.txt | 15 +++++---------
.../main/resources/deps/slf4j-1.7.32/LICENSE.txt | 24 ----------------------
pom.xml | 2 +-
5 files changed, 16 insertions(+), 55 deletions(-)
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index af98e87bf..678eb81a7 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -243,7 +243,7 @@ Apache Software License, Version 2.
- lib/io.vertx-vertx-core-3.9.8.jar [15]
- lib/io.vertx-vertx-web-3.9.8.jar [16]
- lib/io.vertx-vertx-web-common-3.9.8.jar [16]
-- lib/log4j-log4j-1.2.17.jar [17]
+- lib/ch.qos.reload4j-reload4j-1.2.19.jar [17]
- lib/net.java.dev.jna-jna-3.2.7.jar [18]
- lib/org.apache.commons-commons-collections4-4.1.jar [19]
- lib/org.apache.commons-commons-lang3-3.6.jar [20]
@@ -304,6 +304,8 @@ Apache Software License, Version 2.
- lib/io.perfmark-perfmark-api-0.23.0.jar [48]
- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.1.jar [49]
- lib/org.xerial.snappy-snappy-java-1.1.7.jar [50]
+- lib/org.slf4j-slf4j-api-1.7.36.jar [51]
+- lib/org.slf4j-slf4j-reload4j-1.7.36.jar [51]
[1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.11.0
[2] Source available at https://github.com/FasterXML/jackson-core/tree/jackson-core-2.11.0
@@ -321,7 +323,7 @@ Apache Software License, Version 2.
[14] Source available at https://github.com/vert-x3/vertx-bridge-common/tree/3.9.8
[15] Source available at https://github.com/eclipse/vert.x/tree/3.9.8
[16] Source available at https://github.com/vert-x3/vertx-web/tree/3.9.8
-[17] Source available at http://logging.apache.org/log4j/1.2/download.html
+[17] Source available at https://reload4j.qos.ch/
[18] Source available at https://github.com/java-native-access/jna/tree/3.2.7
[19] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-collections.git;a=tag;h=a3a5ad
[20] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-lang.git;a=shortlog;h=refs/tags/LANG_3_6
@@ -352,6 +354,7 @@ Apache Software License, Version 2.
[48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.23.0
[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.1
[50] Source available at https://github.com/google/snappy/releases/tag/1.1.7
+[51] Source available at https://github.com/qos-ch/slf4j
------------------------------------------------------------------------------------
lib/io.netty-netty-codec-4.1.72.Final.jar bundles some 3rd party dependencies
@@ -637,14 +640,6 @@ CDDL 1.1 license. For details, see deps/javax.servlet-api-4.0.0/CDDL+GPL-1.1.
Bundled as lib/javax.servlet-javax.servlet-api-4.0.0.jar
Source available at https://github.com/javaee/servlet-spec/tree/4.0.0
------------------------------------------------------------------------------------
-This product bundles Simple Logging Facade for Java, which is available under a
-MIT license. For details, see deps/slf4j-1.7.32/LICENSE.txt.
-
-Bundled as
- - lib/org.slf4j-slf4j-api-1.7.32.jar
- - lib/org.slf4j-slf4j-log4j12-1.7.32.jar
-Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.32
-------------------------------------------------------------------------------------
This product bundles the Google Auth Library, which is available under a "3-clause BSD"
license. For details, see deps/google-auth-library-credentials-0.20.0/LICENSE
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
index 5934cec45..6dfe81c8d 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
@@ -232,7 +232,7 @@ Apache Software License, Version 2.
- lib/io.netty-netty-transport-classes-epoll-4.1.72.Final.jar [11]
- lib/io.netty-netty-transport-native-epoll-4.1.72.Final-linux-x86_64.jar [11]
- lib/io.netty-netty-transport-native-unix-common-4.1.72.Final.jar [11]
-- lib/log4j-log4j-1.2.17.jar [16]
+- lib/ch.qos.reload4j-reload4j-1.2.19.jar [16]
- lib/net.java.dev.jna-jna-3.2.7.jar [17]
- lib/org.apache.commons-commons-collections4-4.1.jar [18]
- lib/org.apache.commons-commons-lang3-3.6.jar [19]
@@ -281,6 +281,8 @@ Apache Software License, Version 2.
- lib/io.perfmark-perfmark-api-0.23.0.jar [47]
- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.1.jar [49]
- lib/org.xerial.snappy-snappy-java-1.1.7.jar [50]
+- lib/org.slf4j-slf4j-api-1.7.36.jar [51]
+- lib/org.slf4j-slf4j-reload4j-1.7.36.jar [51]
[1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.11.0
[2] Source available at https://github.com/FasterXML/jackson-core/tree/jackson-core-2.11.0
@@ -293,7 +295,7 @@ Apache Software License, Version 2.
[9] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-lang.git;a=tag;h=375459
[10] Source available at http://svn.apache.org/viewvc/commons/proper/logging/tags/commons-logging-1.1.1/
[11] Source available at https://github.com/netty/netty/tree/netty-4.1.72.Final
-[16] Source available at http://logging.apache.org/log4j/1.2/download.html
+[16] Source available at https://reload4j.qos.ch/
[17] Source available at https://github.com/java-native-access/jna/tree/3.2.7
[18] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-collections.git;a=tag;h=a3a5ad
[19] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-lang.git;a=shortlog;h=refs/tags/LANG_3_6
@@ -321,6 +323,7 @@ Apache Software License, Version 2.
[47] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.23.0
[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.1
[50] Source available at https://github.com/google/snappy/releases/tag/1.1.7
+[51] Source available at https://github.com/qos-ch/slf4j
------------------------------------------------------------------------------------
lib/io.netty-netty-codec-4.1.72.Final.jar bundles some 3rd party dependencies
@@ -563,14 +566,6 @@ Bundled as
Source available at https://github.com/protocolbuffers/protobuf/tree/v3.17.2
For details, see deps/protobuf-3.12.0/LICENSE.
------------------------------------------------------------------------------------
-This product bundles Simple Logging Facade for Java, which is available under a
-MIT license. For details, see deps/slf4j-1.7.32/LICENSE.txt.
-
-Bundled as
- - lib/org.slf4j-slf4j-api-1.7.32.jar
- - lib/org.slf4j-slf4j-log4j12-1.7.32.jar
-Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.32
-------------------------------------------------------------------------------------
This product bundles the Google Auth Library, which is available under a "3-clause BSD"
license. For details, see deps/google-auth-library-credentials-0.20.0/LICENSE
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 3f884e619..e68502be1 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -243,7 +243,7 @@ Apache Software License, Version 2.
- lib/io.vertx-vertx-core-3.9.8.jar [15]
- lib/io.vertx-vertx-web-3.9.8.jar [16]
- lib/io.vertx-vertx-web-common-3.9.8.jar [16]
-- lib/log4j-log4j-1.2.17.jar [17]
+- lib/ch.qos.reload4j-reload4j-1.2.19.jar [17]
- lib/net.java.dev.jna-jna-3.2.7.jar [18]
- lib/org.apache.commons-commons-collections4-4.1.jar [19]
- lib/org.apache.commons-commons-lang3-3.6.jar [20]
@@ -302,6 +302,8 @@ Apache Software License, Version 2.
- lib/io.perfmark-perfmark-api-0.23.0.jar [48]
- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.1.jar [49]
- lib/org.xerial.snappy-snappy-java-1.1.7.jar [50]
+- lib/org.slf4j-slf4j-api-1.7.36.jar [51]
+- lib/org.slf4j-slf4j-reload4j-1.7.36.jar [51]
[1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.11.0
[2] Source available at https://github.com/FasterXML/jackson-core/tree/jackson-core-2.11.0
@@ -319,7 +321,7 @@ Apache Software License, Version 2.
[14] Source available at https://github.com/vert-x3/vertx-bridge-common/tree/3.9.8
[15] Source available at https://github.com/eclipse/vert.x/tree/3.9.8
[16] Source available at https://github.com/vert-x3/vertx-web/tree/3.9.8
-[17] Source available at http://logging.apache.org/log4j/1.2/download.html
+[17] Source available at https://reload4j.qos.ch/
[18] Source available at https://github.com/java-native-access/jna/tree/3.2.7
[19] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-collections.git;a=tag;h=a3a5ad
[20] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-lang.git;a=shortlog;h=refs/tags/LANG_3_6
@@ -350,6 +352,7 @@ Apache Software License, Version 2.
[48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.23.0
[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.1
[50] Source available at https://github.com/google/snappy/releases/tag/1.1.7
+[51] Source available at https://github.com/qos-ch/slf4j
------------------------------------------------------------------------------------
lib/io.netty-netty-codec-4.1.72.Final.jar bundles some 3rd party dependencies
@@ -629,14 +632,6 @@ CDDL 1.1 license. For details, see deps/javax.servlet-api-4.0.0/CDDL+GPL-1.1.
Bundled as lib/javax.servlet-javax.servlet-api-4.0.0.jar
Source available at https://github.com/javaee/servlet-spec/tree/4.0.0
------------------------------------------------------------------------------------
-This product bundles Simple Logging Facade for Java, which is available under a
-MIT license. For details, see deps/slf4j-1.7.32/LICENSE.txt.
-
-Bundled as
- - lib/org.slf4j-slf4j-api-1.7.32.jar
- - lib/org.slf4j-slf4j-log4j12-1.7.32.jar
-Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.32
-------------------------------------------------------------------------------------
This product bundles the Google Auth Library, which is available under a "3-clause BSD"
license. For details, see deps/google-auth-library-credentials-0.20.0/LICENSE
diff --git a/bookkeeper-dist/src/main/resources/deps/slf4j-1.7.32/LICENSE.txt b/bookkeeper-dist/src/main/resources/deps/slf4j-1.7.32/LICENSE.txt
deleted file mode 100644
index 315bd4979..000000000
--- a/bookkeeper-dist/src/main/resources/deps/slf4j-1.7.32/LICENSE.txt
+++ /dev/null
@@ -1,24 +0,0 @@
-Copyright (c) 2004-2017 QOS.ch
-All rights reserved.
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-
diff --git a/pom.xml b/pom.xml
index f37d83950..110bbedda 100644
--- a/pom.xml
+++ b/pom.xml
@@ -160,7 +160,7 @@
<reflections.version>0.9.11</reflections.version>
<rocksdb.version>6.16.4</rocksdb.version>
<shrinkwrap.version>3.0.1</shrinkwrap.version>
- <slf4j.version>1.7.32</slf4j.version>
+ <slf4j.version>1.7.36</slf4j.version>
<snakeyaml.version>1.19</snakeyaml.version>
<spotbugs-annotations.version>3.1.8</spotbugs-annotations.version>
<javax-annotations-api.version>1.3.2</javax-annotations-api.version>